Shared publicly  - 
The future of fingerprint sensors (Apple doesn't own the best)

You might have heard that Apple's next iPhone will have a fingerprint sensor. Why? Because that would let Apple implement anti-theft and identity services (hint: get rid of passwords!)

This is going to be a HUGE shift in how secure we all are. 

But Apple, with its acquisition of AuthenTec, doesn't have the best technology. First, more on that:

Who does? +sonavation. Why? Because Sonavation's scanner uses ultrasound scanning to actually look at the tissue UNDER the finger's skin. This makes it impossible to cut off someone's finger and use that, for instance. It also makes it possible to get fingerprints even on people who have no fingerprints (I met a guy who rolled cigars in Miami for 40+ years, for instance, that has no fingerprints).

Listen into the CTO talking aobut how the technology works. Really huge technology leap forward. Look at how thin the sensor is, too. 

More about Sonavation at:
Todd Knarr (Jrral)'s profile photoRay Lee's profile photoAndrea Joseph's profile photochikezie Jack's profile photo
The question is, how much more does it cost?
Bout time someone implemented this
cough extortion cough

Biometrics are just as flawed as the rest; passwords are arguably superior; but this will be good for the average user who wasn't smart enough to use a password.
+Robert Scoble That's exactly my point.

Biometrics are better for most people. Just not better than passwords. People just suck at using passwords.

Case in point, aren't most biometrics systems password systems in the end? i.e. it converts your fingerprint into a 'password'.
+Robert Scoble

... I'm not wrong anywhere 'there'.

Please, stop agreeing with me and then calling me 'wrong'. You couldn't be more dishonest if you tried.

You've agree twice now that using "password" is a terrible thing, but you're committing double Ad Hominem, both towards me and towards the password; idiot users bad passwords do not make.
I've never found Apple to acquire the most innovative technology. They're all about incremental scaling plays.
Oh come ON guys.
Yes people create LOUSY passwords, however not everyone  is able to scan their fingerprint. case in point my co-worker and I share an HP laptop with fingerprint reader, She was totally UNABLE to get the computer to get a clean, clear and reliable scan of ANY of her fingers. so she has to use a typed password.
NO system is foolproof, BUT there is some great tech out there to help.
Interesting. There is one company based in Slovakia which has the fastest alghoritm for fingerprint matching which is used by thousands of clients and millions of people around the world
+Robert Scoble Wait, so now you're reversing your opinion? Make up your mind.

I thought you were PRO biometrics. What is the point of this whole post otherwise?

Yes, I am saying that most users are better off using biometrics than a password. But there is no logical corollary that inherently password are worse than biometrics.

So which is it? You are pro biometrics, or not?

"Using a fingerprint to prove you are in possession of your device is FAR FAR FAR superior."


"you say biometrics are better for most people. That is abjectly false."

Seem to be contradicting each other pretty darn plainly.

You amuse me. XD
+Robert Scoble

It occurs to me you may be ignorant of what biometrics are:

(Courtesy Merriam-Webster):

noun plural but singular or plural in construction \-ˈme-triks\*

1: biometry
2: the measurement and analysis of unique physical or behavioral characteristics (as fingerprint or voice patterns) especially as a means of verifying personal identity

You may want to check your definitions more thoroughly before contradicting yourself in future ;)
This is nothing new… Looking inside at tissue and other things, including veins and arteries and the blood flow in them, has been done for a while by many others, including Hitachi and Fujitsu…. So these guys are behind!
+Robert Scoble the forbes article says nothing about competing implementations, and I see no point in mentioning apple as you even say the tech wasn't there when apple was making the acquisition.
You say they have patents, but the question is are they useful. The Forbes article you mention talks about one of the reasons for apple's acquisition was the patents, so I'm wondering what this companies patents cover. Quite clearly it's not the base tech for fingerprint biometrics, and it also makes me wonder if their tech violates existing patents.
+Sebastian Audet, there's a misunderstanding here... You're thinking purely logically, +Robert Scoble is thinking pragmatically because in the real world where we all live (yes even you) solutions don't sink or swim on the strength of their logical underpinnings but rather on their market success, and the market has thresholds of annoyance(rigor placed upon the user) which make or break solutions in the sense that user adoption rises or plummets and with it so too do the implementers' commercial prospects.

Sonogram technology takes cheap and easy fingerprint forgery off the table for would be intruders,  (this is 4D data, which means not only 3D structure but, structure through time is recorded) which raises the forgery difficulty bar sufficiently high enough that... 'probabilistically' ...such a fingerprint reader on mobile devices would require the forging party to commit to simulating your signature to such an extent that the effort would only be worthwhile in a very high payoff scenario i.e. Tens of leagues above what petty theft of an average, non-elite, non-privileged user's smartphone could offer.

Scoble is right, this is the beginning of the end of the average person's investiture with  numerous strong passwords.

This is also very probably, going to be a security enhancement for at least the next couple of decades. Until bio-engineering a cloned and living finger becomes cheap and easy enough to threaten the level of security temporal bio-metric signatures allow.

Most people should just stop reading here...

Frankly, you have to ask yourself if a logical argument for the superiority of passwords makes any sense when the technology needed to clone Scoble's finger from a (hypothetically) tactically obtained field sample is still at least 30 years off. Indeed while we're at it, if a malicious party obtains one's DNA and has the capability to clone one's body parts, at that point aren't there bigger problems afoot? I mean why steal an identity with such technology, why not sell genetically optimized blood or body parts on the black market?
Basically the means would defeat the original ends.

If the technology needed to foil a security system, is so advanced that it could only exist in a wholly different era, then the security system in question has succeeded in providing protection during the era in which it was invented for the era in which it was invented.

That is what we ask of our security systems, not "infinitely powerful protection", that is what (some) mathematicians spend time dreaming about.

So stop thinking like a mathematician and float back to earth.
Not sure what all the hoopla is in this thread, but here's the real story: this technology is awesome, and it ought to be coupled with something we don't have yet ... a single password and username for each person that he/she can change at will using a global update utility. This is arguably MORE secure than the reality that exists currently: people choose dumbass passwords and they have a multitude of them, so their desire to change them is zero, especially considering the huge number of sites to which people are usually subscribed. 
+Joe Hacobian

Science has proven again, and again, and again that that notion is inherently wrong.

What do you think powers any of the pragmatism? Logic. Pragmatism is logic. If it weren't, it'd be pink ponies flying around in the cloud.
+Sebastian Audet

"What do you think powers any of the pragmatism?"

I'm going to throw in the towel and go with the pink ponies.
+Justin Rice I'm not sure where you get that notion from.
Security is weakened by sites sharing one set of credentials. A compromise leaves all sites vulnerable until you know you need to change, and there's latency in pushing that out to all sites.

No, it's likely more a public private key solution with biometrics forming some part of the private key portion. It needs to be cleverly designed however or it opens up whole new vistas for privacy issues.

When YOU are part of the multi-factor login, and you leave your footprints everywhere you login, it's a tracking problem. Unless its abstracted, you don't have a rekeying option.

Precisely along the lines where Apple moved away from apps using the UDID or serialization of the phone to track usage. Now it's a unique generated string, that can be regenerated into a new one on demand, like deleting tracking cookies in a browser. 
Apple, it seems has never been about the best tech, it's about how that tech is actually used or implemented. They were never the first on the best, they are just first at being better. 
I think we could pull up any number of market and profit indicators that show its not as simple as good enough and cheap enough. Win95 indeed.
Would you rather be selling windows or Mac ultra books over the last few years?
+Craig Bowers 

I think the notion is guided by what I, and others, actually want. I truly cannot believe that maintaining 10s or even 100s of passwords is our most secure option. It simply cannot be (on the principled basis that it is absurd), so we must change. Where we lack the capability, we must create it. I know, I know: easier said than done. But, I do some fairly complex things in my field, and I suppose I uphold the same standards in the world of cryptography. This 100s of passwords nonsense is a paradigm that must die.

Having said that, can you help me understand a couple of things with perhaps more detail / context? Can you help me understand what a “footprint” actually is? Also, what is a “tracking problem” and how might “abstraction” solve that? 

Even just links for further reading would be helpful, for instance, one for "abstraction" in the sense you're using it.

There's something I don't quite get. If this thing can scan your heart rate and blood pressure and all that stuff to make it part of your security profile.. What happens if I get one of these things and start working out, or get less healthy. My resting heart rate and blood pressure, etc. change right. Wouldn't I then effectively lock myself out of my own product? +Robert Scoble am I misunderstanding a part of this video? 
+Joe Hacobian if I remember how fingerprints are formed correctly: a cloned finger won't have the same print as the original, because of all the random factors that play a part in the formation of the print. So engineering a "fake key" would be fantastically difficult :-) 
This will make it so much easier to unlock your phone while driving.
The tissueprint by ultrasound might be a viable solution to the countless bypass hacks available for standard fingerprint readers, as demonstrated by CCC in Germany a while ago, as well as by many others. It might be a proper supplement to passwords and two factor authentication, but in secure applications it can not replace either of them.
I worked on biometric access and identity verification in the early 90s, where fingerprint, pulse and heat profile were verified. Yet, this highly advanced, extremely expensive tech was beaten with... simple candle wax.

This technology was applied in immigration/political asylum centers in the Netherlands, where hundreds of people had to check in at random times in the day to prove they had not accepted a job. Devices regularly failed and after a while re realized the cause was... candle wax.

Cheaters would take an imprint of another person's fingerprint by dabbing thier finger in hot candle wax, wait for it to dry, peel it off the finger, invert the candle wax sliver, put it on their own fingertip, and they could then check in on behalf of another...

I wonder if this system could prevent that trick... we never solved it at the time. Cheap cameras and facial recognition weren't around yet.

Unless the hard drive is encrypted, the finger print scanner can be bypassed with a Linux USB boot drive and access to all the data is right there at your finger tips. Same goes for any password for the system, no matter how great your password is.
I can't view the video in the ipad client, but the methods Ive seen elsewhere that look deeper into the finger were about noting the movement and pathways of blood flow.
So not just that you generally have a pulse, but looking at the capillaries as a map. Wax can fake the surface structure, and sure you can provide a warm pulsing under layer, but if the technology is usefully looking at the interior fluid structures of a finger as a fingerprint map, I don't see how that's easily faked.
a faster bio metric authentication tech,  
The two problems I see:

1. Authentication systems always fail. We haven't come up with a single one that's totally and completely uncompromiseable, and there's nothing indicating this'll change any time soon. We've heard about "unfoolable" biometric sensors before, and inevitably they end up being easily fooled. Often by cheating (a real attacker doesn't care whether he cheated or not, only whether he succeeded or not).

2. When the authentication token is literally part of you, recovery from a compromise is impossible. You can't change your fingerprint, you can't change your retina pattern, so once a system which uses those is compromised there's no way to uncompromise it. Compare this to passwords, where if the service's password database is compromised I can simply change my password.

It may be that these biometric sensors are the ones that break the pattern. But I'm not assuming that based solely on the word of a salesman whose commission/salary depends on him saying they are. I'll trust it when there's been 5 years of attacks on it by people whose paycheck depends on breaking it and it's still secure. And even then, I'll still be twitchy because if it's ever broken there is no plan B and I don't like not having a plan B.

I'm a software developer. I don't so much believe in Murphy as I keep having to move the twerp's coffee mug off my documentation.
Ray Lee
Worth taking a look at the FIDO Alliance and seeing what they are doing with fingerprint as an authentication. Apple way overpaid for Authentec
Want to see your invention in the market soon.
Add a comment...